早上发现DNS流量有些异常,查了query.log日志如下:
9-Apr-2013 13:49:33.418 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.475 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.487 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.516 queries: info: client 70.39.93.72#49940: view other_user: query: isc.org IN ANY +ED (163.177.24.74)
09-Apr-2013 13:49:33.557 queries: info: client 185.12.119.16#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.588 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.657 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.663 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.758 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.802 queries: info: client 70.39.93.72#49940: view other_user: query: isc.org IN ANY +ED (163.177.24.74)
09-Apr-2013 13:49:33.824 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.848 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
处理方法:
添加iptables规则(需要添加connlimit模块),限制单IP并发请求数:
- -A INPUT -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec --limit-burst 200 -j DROP
- -A INPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m connlimit --connlimit-above 5 --connlimit-mask 32 -j DROP
- -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m connlimit --connlimit-above 5 --connlimit-mask 32 -j DROP
一、首先检查bind本身安全,利用bind添加acl,同时限制递归查询,添加黑名单。
- acl "mynetwork" {
- 183.61.81.0/25;
- 119.38.123.0/25;
- 180.60.116.0/25;
- 163.172.24.0/25;
- 127.0.0.1/32;
- };
- acl "blackhats" {
- 108.162.204.88;
- 184.168.72.113;
- 93.170.127.96;
- 72.46.155.84;
- 178.33.217.2;
- 72.46.132.122;
- 78.159.111.197;
- 192.96.200.41;
- };
全局设置变更:
allow-query { mynetwork; }; #这里设置自己网络,zone里面可以设置成any
allow-recursion { mynetwork; }; #针对递归进行处理
#allow-query-cache {mynetwork;}; #针对查询缓存处理
version "hello babay"; #隐藏版本
edns-udp-size 1024; # 设置udp消息大小,单位字节
max-udp-size 4096; #设置最大udp消息大小,单位字节
blackhole {blackhats;};#设置黑名单
二、利用fail2ban过滤日志,调用iptables限制指定ip地址
下载fail2ban: https://github.com/fail2ban
或http://sourceforge.net/projects/fail2ban/
我这里用的是fail2ban-0.8.4,解压包后
执行python setup.py install安装完成。
/etc/fail2ban/jail.conf 过滤相关服务配置文件
/etc/fail2ban/fail2ban.conf 主配置文件,设置sock和日志文件
/etc/fail2ban/filter.d/ 相应服务的过滤规则文件路径
/etc/fail2ban/action.d/ 相应服务的动作配置文件路径
jail.conf添加指定服务参数:
- [named-refused-udp]
- enabled = true
- filter = named-refused #指定过滤规则
- action = iptables-multiport[name=Named, port=53, protocol=udp]
- sendmail-whois[name=Named, [email protected]]
- logpath = /opt/soft/bind/log/query.log #指定过滤日志
- bantime = 3600 #封锁时间,单位秒,
- findtime = 100 #100秒内超过次数屏蔽,单位秒
- maxretry = 3 #最大尝试次数
- ignoreip = 127.0.0.1
- [named-refused-tcp]
- enabled = true
- filter = named-refused
- action = iptables-multiport[name=Named, port=53, protocol=tcp]
- sendmail-whois[name=Named, [email protected]]
- logpath = /opt/soft/bind/log/query.log
- bantime = 360000
- findtime = 100
- maxretry = 3
- ignoreip = 127.0.0.1
添加过滤规则:named-refused.conf
- # Fail2Ban configuration file for named (bind9). Trying to generalize the
- # structure which is general to capture general patterns in log
- # lines to cover different configurations/distributions
- #
- # $Revision: 730 $
- #
- [Definition]
- #
- # Daemon name
- _daemon=named
- #
- # Shortcuts for easier comprehension of the failregex
- __pid_re=(?:\[\d+\])
- __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
- __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
- # hostname daemon_id spaces
- # this can be optional (for instance if we match named native log files)
- __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
- # Option: failregex
- # Notes.: regex to match the password failures messages in the logfile.
- # Values: TEXT
- #
- failregex = %(__line_prefix)sclient <HOST>#.+: query: (baidu.com|isc.org) IN ANY \+ED*
- # Option: ignoreregex
- # Notes.: regex to ignore. If this regex matches, the line is ignored.
- # Values: TEXT
- #
- ignoreregex =
执行动作文件#egrep -v '^#|^$' /etc/fail2ban/action.d/iptables-multiport.conf
- [Definition]
- actionstart = iptables -N fail2ban-<name>
- iptables -A fail2ban-<name> -j RETURN
- iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
- actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
- iptables -F fail2ban-<name>
- iptables -X fail2ban-<name>
- actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
- actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
- actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
- [Init]
- name = default
- port = ssh
- protocol = tcp
fail2ban-client start或fail2ban-server 启动服务
我们看下效果吧,已经有拉黑的IP了。
#fail2ban-client status named-ddos-tcp
Status for the jail: named-ddos-tcp
|- filter
| |- File list: /opt/soft/bind/log/query.log
| |- Currently failed: 5
| `- Total failed: 299
`- action
|- Currently banned: 5
| `- IP list: 107.20.206.69 94.75.243.137 61.147.112.29 178.32.244.170 61.147.112.32 (国外的IP已经拉黑啦)
`- Total banned: 15
Chain OUTPUT (policy ACCEPT 163M packets, 203G bytes)
pkts bytes target prot opt in out source destination
Iptables的也已经自动添加了
Chain fail2ban-Named (2 references)
pkts bytes target prot opt in out source destination
9 576 DROP all -- * * 174.142.207.122 0.0.0.0/0
241 15424 DROP all -- * * 61.147.120.25 0.0.0.0/0
27 1728 DROP all -- * * 61.147.112.32 0.0.0.0/0
115 7360 DROP all -- * * 178.32.244.170 0.0.0.0/0
119 7616 DROP all -- * * 61.147.112.29 0.0.0.0/0
51 3264 DROP all -- * * 94.75.243.137 0.0.0.0/0
2206 141K DROP all -- * * 107.20.206.69 0.0.0.0/0
12829 833K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
查阅资料地址:
http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.html
http://www.isc.org/software/bind/documentation
http://www.minihowto.eu/protectio-against-isc-org-any-attack-dns-attack-isc-org-any-query
http://www.bergercity.de/tag/bind/
http://sourceforge.net/projects/fail2ban/
http://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_0.7.x#Iptables_action_setup